iwd with EAP-TLS fails with 'Failed to load <pem>'

Question

I want to connect to an EAP-TLS access point using iwd, however this fails because it apparently cannot open my client key:

# iwctl
[iwd]# station wlan0 connect foo
Not configured

iwd says:

src/network.c:network_connect() 
src/network.c:network_connect_8021x() 
Failed to load /var/lib/wireless/skybert.pem

My kernel is the latest stable one and I've enabled CONFIG_PKCS8_PRIVATE_KEY_PARSER:

# uname -r
5.2.1
# lsmod | grep pkcs8_key_parser
pkcs8_key_parser       16384  0

iwd

# /usr/libexec/iwd --version
0.18
# export IWD_TLS_DEBUG=1
# /usr/libexec/iwd -d
[..]
src/network.c:network_connect() 
src/network.c:network_connect_8021x() 
Failed to load /var/lib/wireless/skybert.pem

/var/lib/iwd/foo.8021x

[Security]
EAP-Method=TLS
EAP-TLS-ClientCert=/var/lib/wirelss/skybert.pem
EAP-TLS-ClientKey=/var/lib/wireless/skybert.des3.key 
EAP-TLS-ClientKeyPassphrase=youwish
EAP-Identity=skybert

The corresponding, working, wpa_supplicant block was:

network={
   ssid="foo"
   key_mgmt=WPA-EAP
   proto=WPA2
   eap=TLS
   identity="skybert"
   client_cert="/var/lib/wireless/skybert.pem"
   private_key="/var/lib/wireless/skybert.des3.key"
   private_key_passwd="youwish"
}

OS

? lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

(trying to) read the source

From what I can tell, it's ell/ell/pem.c (called from iwd/src/eap-tls-common.c) which cannot load the certificate, but that's as far as I've come. The error message is the same if the path exists or if it doesn't.

Any help would be much appreciated.

Answer 1

从文件中pem.c，第 321 行

以我对C语言的有限理解，只能从评论中推断：

/**
 * l_pem_load_private_key
 * @filename: path string to the PEM file to load
 * @passphrase: private key encryption passphrase or NULL for unencrypted
 * @encrypted: receives indication whether the file was encrypted if non-NULL
 *
 * Load the PEM encoded RSA Private Key file at @filename.  If it is an
 * encrypted private key and @passphrase was non-NULL, the file is
 * decrypted.  If it's unencrypted @passphrase is ignored.  @encrypted
 * stores information of whether the file was encrypted, both in a
 * success case and on error when NULL is returned.  This can be used to
 * check if a passphrase is required without prior information.
 *
 * Returns: An l_key object to be freed with an l_key_free* function,
 * or NULL.
 **/

RSA 摘录

加载 PEM 编码的 RSA 私钥文件。

所以，不再有 3DES（？）

从NIST 2017：Triple DES已于2017年被NIST弃用来看，这很可能是原因。